This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
CaseyB
Collaborator
‎2024-01-19 09:01 AM
Jump to solution

IKEv2 VPN with Cisco ASA - unexpected tunnel

I noticed something odd about an IKEv2 VPN tunnel with a Cisco ASA. As far as I can tell, the VPN is working without any issues, but the ASA is creating an unexpected IPsec tunnel. If it is possible to clean up, that would be ideal, but if not, it doesn't seem to be causing any issues.

IKEv2_narrow.png

Setup:

  • IKEv2
  • Subnet-to-Subnet exchange
  • Using NAT

The Check Point GW is running R81.10 Take 130, not sure of the Cisco ASA.

The Check Point is sending a public /29 to two different /32 devices on the ASA side. Running a debug shows that when the Cisco sends TSi for Create Child SA, it includes the following:

TSi_0.png

TSi_1.png

TSi_2.png

The first TSi with the ICMP protocol seems odd to me and the root of the issue. I have reached out to the other side with no response. Has anyone seen this before and know what setting / configuration might be causing this on the Cisco side?

Labels
0 Kudos
1 Solution

Accepted Solutions
CaseyB
Collaborator
4 weeks ago
In response to Mikael
Jump to solution

Okay, I went back and looked at the logs. This was a Check Point issue that was resolved by going to R81.10 JHF 131. 

The issue was present, I applied the update, and I haven't seen the issue in the logs since.

View solution in original post

13 Replies
JozkoMrkvicka
Mentor
Mentor
‎2024-01-19 09:32 AM
Jump to solution

Do you have configured VPN community as "subnet pair" ? Double check if traffic selectors (encryption domains) is really 1:1 on both ends.

Kind regards,
Jozko Mrkvicka
0 Kudos
CaseyB
Collaborator
‎2024-01-20 06:30 AM
In response to JozkoMrkvicka
Jump to solution

Yes, the community is setup as subnet pair. I do not have control over the other side, and since they are ghosting me, I have to take their word that everything is setup as a subnet on their end.

Though the TSi shows a subnet in the second value, it's the first value that is wrong.

0 Kudos
genisis__
Leader Leader
Leader
‎2024-01-19 04:08 PM
Jump to solution

Have a look at sk166417, IKEv2 narrowing is not isolated to Checkpoint b.t.w.

0 Kudos
CaseyB
Collaborator
‎2024-01-20 06:33 AM
In response to genisis__
Jump to solution

I looked over that earlier, it's informative.

0 Kudos
the_rock
Legend
Legend
‎2024-01-19 08:09 PM
Jump to solution

I know guy I used to work with showed me how to fix this on Cisco side. He used to work for Cisco TAC in India, said they used to see this issue all the time. Supposedly there was some sort of a bug in a certain version, but was fixed later. Will see if I can find any notes about it.

Best,

Andy

0 Kudos
CaseyB
Collaborator
‎2024-01-20 06:27 AM
In response to the_rock
Jump to solution

Sounds good. I was also wondering if it was a certain Cisco version, I thought I had this issue with another Cisco VPN, but I am having a difficult time finding it at the moment, but maybe they upgraded and resolved it.

0 Kudos
the_rock
Legend
Legend
‎2024-01-20 07:50 AM
In response to CaseyB
Jump to solution

I have good buddy I also worked with and he may know where the guy currently works, so let me see if we can get a hold of him : - ). Its been probably 7 years since I dealt with Cisco, mind you only with ASA, but I have lots of commands from notes I took back in the day.

I will keep you posted on what I find.

Best,

Andy

0 Kudos
Mikael
Collaborator
Collaborator
4 weeks ago
In response to the_rock
Jump to solution

Did you ever find anything?

 

Cheers

0 Kudos
CaseyB
Collaborator
4 weeks ago
In response to Mikael
Jump to solution

I upgraded to R81.10 JHF 131 and the issue is currently resolved from what I can tell. Not sure if the Cisco side has changed anything, never heard back from the third-party.

0 Kudos
CaseyB
Collaborator
4 weeks ago
In response to Mikael
Jump to solution

Okay, I went back and looked at the logs. This was a Check Point issue that was resolved by going to R81.10 JHF 131. 

The issue was present, I applied the update, and I haven't seen the issue in the logs since.

CheckPointerXL
Advisor
‎2024-01-20 01:22 AM
Jump to solution

Let's check for this:

- https://support.checkpoint.com/results/sk/sk170857 (fixed in T131)

- find out for any duplicate objects related to host/subnets in your vpn tu tlist output. If found, delete them from mgmt, install policy and reset tunnel

(1)
the_rock
Legend
Legend
‎2024-01-20 04:52 AM
In response to CheckPointerXL
Jump to solution

That could be related...

0 Kudos
CaseyB
Collaborator
‎2024-01-20 06:26 AM
In response to CheckPointerXL
Jump to solution

I have definitely have that bug on another tunnel, but this seems to be different as it's coming from the Cisco side.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events